Cyber criminals targeting public institutions with modified form of Qbot malware.

A team of cyber experts at BAE Systems has identified a new strain of Qbot, malicious software that has infected over 54,000 PCs in thousands of organisations across the world.

An emergency response to a Qbot attack on a public sector organisation has given BAE Systems insight into how the updated malware infects hosts, updates itself and hides from all but a very few antivirus and malware defences.

Following an attack on the organisation in early 2016 that affected more than 500 computers and impacted the operation of critical systems, BAE Systems’ analysts discovered a number of modifications had been made to the original Qbot malware to make it harder to detect and intercept. These included a new ‘shape changing’ or polymorphic code, which meant that each time the malware’s code was issued by the servers controlling it, it was compiled afresh with additional content, making it look like a completely different programme to researchers looking for specific signatures.

In addition, automated updates to the malware generated new, encrypted versions every six hours, outpacing efforts to update software on customer computers, which helped the virus to spread. The new Qbot also checks for signs that it is running in a ‘sandbox’ – a tool used to spot malware before it reaches users’ inboxes. Sandboxing is accepted by many organisations as the de facto defence against malicious email content, and malware authors are now going to great lengths to defeat it.

Company Articles

Professional cyber criminals were found to be specifically targeting public organisations such as police departments, hospitals and universities. BAE Systems’ expert analysis revealed Qbot’s international network of infected machines currently runs to more than 54,000 PCs due to the malware’s ability to spread automatically without any outside instruction. Due to a combination of detection avoidance and automated infection, there is a risk that Qbot will continue to spread unless organisations take steps to protect themselves.

Adrian Nish, Head of Cyber Threat Intelligence at BAE Systems, commented: “Many public sector organisations are responsible for operating critical infrastructure and services, often on limited budgets, making them a prime target for attacks. In this instance, the criminals tripped up because a small number of outdated PCs were causing the malicious code to crash them, rather than infect them. It was this series of crashes that alerted the organisation to the spreading problem.

“This case illustrates that organisations must remain alert to, and defend against, new and evolving cyber threats. Qbot first came to light in 2009, but this new version is equipped with advanced tools to escape detection and infect quickly.”

The team at BAE Systems worked to understand the malware’s own command and control network to work out how stolen data was being uploaded. In addition, they were able to identify how the programmers altered the destination of the stolen data each time, one of the ways in which the attackers can avoid detection and interception.